HIPAA Security: Case Studies for Small and Medium Healthcare Organizations

1
Systems Criticality Matrix
National Security Agency Information Assurance
Methodology
2
OCTAVESM

• Operationally Critical, Threat, Asset and
  Vulnerability Evaluation
• Sort through complex organizational and
  technological issues
• Defines an approach to information security risk
  evaluations
• Comprehensive
• Systematic
• Context driven
• Self-directed
• Self directed
• Business and IT part of the team
• Three Phases
• Build asset-based threat profiles
• Identify infrastructure vulnerabilities
• Develop security strategy and plans

OCTAVESM Carnegie Mellon Software Engineering
Institute
3
M M L M L - M M M M H
Disclosure
Accidental
Modification
M M L M L - M M H M H
Loss, Destruction
Interruption
Inside
M M L M L - M M M M H
Disclosure
Modification
M M H M H - M M H M H
Deliberate
Loss, Destruction
Interruption
Network
Patient Records System
M M L M L - M M M M H
Disclosure
Accidental
Modification
M M H M H - M M H M H
Loss, Destruction
Interruption
Outside
H H L M L - M M H M H
Disclosure
Modification
Deliberate
M M H M H - M M H M H
Loss, Destruction
Interruption
Reputation Financial Productivity Fines Safety Oth
er
Human Actors Using Network Access
OCTAVESM Carnegie Mellon Software Engineering
Institute
4
M M L M L - M M M M H
M M L M L - M M H M H
M M L M L - M M M M H
M M H M H - M M H M H
Patient Records System
M M L M L - M M M M H
M M H M H - M M H M H
H H L M L - M M H M H
Threat Profile System Problems
M M H M H - M M H M H
Reputation Financial Productivity Fines Safety Oth
er
OCTAVESM Carnegie Mellon Software Engineering
Institute
5
Human Actors Using Network Access Basic
Risk Profile
OCTAVESM Carnegie Mellon Software Engineering
Institute